Biggest Cyber Attacks September 2025

Biggest Cyber Attacks Introduction

September 2025 was one of the biggest cyber attacks and a seemingly endless series of cyber incidents, affecting industries ranging from governmental offices to manufacturing, automotive, and retail giants. Attacks on Jaguar Land Rover and Bridgestone highlighted the vulnerabilities in automotive and industrial operations. At the same time, a massive compromise of Salesforce customer data demonstrated the severe and constant dangers of supply chain hacks. Even sensitive public sector entities like the Office of the Pennsylvania Attorney General struggled with disruptive ransomware attacks. In this cyber turmoil, one thing is sure: no business is immune to an attack.

Biggest Cyber Attacks: How We Got Here

Ransomware and data exfiltration methods continue to evolve at an alarming rate. Attackers sprinkle in sophisticated social-engineering attacks one week, then shift to stealthy supply chain intrusions the next. For example, threats like the Shai-Hulud worm, which compromised hundreds of npm packages this month, illustrate the growing problem of criminals leveraging open-source reliances to gain wide-scale access. At the same time, the infiltration of CRM tools for major SaaS platforms, including Salesloft, exposed how quickly threat actors can move laterally once they get into a business’s supply chain.

All of this has triggered higher levels of regulatory scrutiny. Businesses are rethinking their processes with their partners, vendors, and workforce. A faulty IT security control from a third-party technology vendor or an unsuspecting insider may result in a costly situation, reputational harm, and irreversible financial losses.

Major Ransomware Attacks

Early in September, the Office of the Pennsylvania Attorney General found itself crippled by a ransomware incident that forced a two-week shutdown of essential services. This situation meant inaccessible public portals, disrupted email systems, and idle phone lines. The office refused to meet the ransom demands, underscoring how government institutions prefer to handle negotiations with cybercriminals. Although services were eventually restored, this attack was a reminder that hackers target even the most fundamental public sector agencies.

Financial Services: FinWise Insider Breach

The thought that threats are always external was shown to be incorrect last month when a former employee at FinWise accessed internal systems, potentially compromising the personal data of nearly 689,000 customers. The shock surrounding this breach underscores the urgency of monitoring internal controls and ensuring proper offboarding procedures. Internal caution is just as crucial as defending your perimeter from sophisticated external actors.

Healthcare and Education: Kido International

An attack on a London-based childcare provider, Kido International, illustrated the nature of modern ransomware attacks. Sensitive information of over 8,000 children was stolen, including photos and home addresses. In a chilling display, criminals posted a sample of this data online. It is a scary type of attack, as the data of the youngest and most vulnerable populations can be used as leverage to pressure any company into making payments.

Salesforce-Targeted Supply Chain Attacks

One of the most far-reaching incidents in September involved multiple Companies that rely on Salesloft Drift integrations within Salesforce. Attackers used compromised OAuth tokens to enter various company environments and exfiltrate customer records. Giants like Palo Alto Networks, Cloudflare, Zscaler, and others found that customer contact information, support case content, and even API keys had been exposed. Up to 1.5 billion records were claimed by some threat actors, placing an untold number of businesses and individuals at risk.

Automotive and Retail: Stellantis and Harrods

Major cracks also appeared in sectors not typically associated with data theft. Automaker Stellantis confirmed that a breach of the same Salesforce hack had exposed employee, supplier, and customer data. Meanwhile, luxury retailer Harrods witnessed the compromise of 430,000 online customer profiles via a third-party incident. What stood out in Harrods’ response was the firm’s outright refusal to negotiate with attackers. This stance sparked debate on whether refusing to pay or communicate might deter future threats or provoke more aggressive follow-up attacks.

Emerging Threat Actors and Insider Risks

The intrusions linked to ShinyHunters, UNC6395, and other groups indicate a security landscape that grows more intricate by the day. Not only do external hacking groups remain bad, but rogue insiders also threaten. The FinWise event was one clear example of how oversight gaps can become costly liabilities. Maintaining real-time monitoring and quickly revoking access for former employees helps reduce internal points of failure, just as advanced endpoint monitoring and firewalls help mitigate external risk.

Cyber Attacks Beyond Ransomware and Data Theft

Several automotive manufacturers were thrust into the headlines for reasons having nothing to do with their newest models. A cyberattack against Jaguar Land Rover caused a prolonged production shutdown spanning nearly a month, leading to significant operational and financial setbacks. While Land Rover initially believed no customer data was compromised, it later became apparent that sensitive data had been exposed.

Bridgestone offered a contrasting tale of rapid containment. When intruders struck its North American facilities, decisive action curtailed the attack early, preventing data theft or deeper network infiltration. Both stories underscore the importance of having robust incident response runbooks ready and tested before disaster strikes.

Supply Chain Attacks in Open-Source Ecosystems

Open-source software has become important for development teams, but is also a prime target for cyber attackers. This month saw the “S1ngularity” supply chain attack that slipped malicious code into thousands of GitHub repositories, effectively recruiting them into an AI-powered credential-harvesting operation. Developers and companies that rely on these packages unknowingly became unwitting participants in the supply chain compromise, revealing how penetrable today’s coding pipelines can be when weaponized sufficiently by threat actors.

Emergence of New Ransomware and Malware Variants

Introducing malware like “HybridPetya” and “Obscura” underscores how relentless cybercriminals are in refining their methods. HybridPetya can circumvent UEFI Secure Boot protections, a critical layer of modern system security, while Obscura leverages domain controllers to spread throughout a network automatically. These developments remind security leaders to stay vigilant and continuously adapt patching strategies, endpoint security controls, and employee training.

Notable Vulnerabilities and Patches

September 2025 introduced a flurry of high-profile patches from technology companies. Google rushed out an emergency update to Chrome to fix a zero-day flaw (CVE-2025-10585), which attackers could exploit simply by luring users to compromised websites. Apple, too, issued rapid-fire patches to contain exploits that bypassed device protections without requiring a single click from the victim. These moves highlight how critical it is for businesses to remain vigilant about quickly installing vendor updates.

Cisco & SAP Exploits

Enterprise-grade vulnerabilities in Cisco’s ASA/FTD firewall software and SAP’s S/4HANA platform were also discovered. Some zero-days were reportedly being leveraged in targeted attacks, allowing criminals to gain remote system access or inject malicious code at the kernel level. While patches were released, many companies delayed implementation, exposing themselves to active exploitation. This highlights an ongoing struggle: how to strike a balance between maintaining uptime and ensuring the prompt application of critical security fixes.

Lessons Learned: Strengthening Cyber Defenses

People and processes remain the most important aspect in data security, regardless of how cutting-edge an organization’s technology stack may be. Tabletop exercises and war-gaming sessions help leadership teams test crisis communication, escalation paths, and remediation methods in a simulated but realistic environment. Having mapped playbooks that detail each stakeholder’s role can be the difference between rapid containment and protracted chaos when a real attack occurs.

Proactive Vulnerability Management

Ongoing network vulnerability assessments and penetration tests help detect new weaknesses before attackers can exploit them. By proactively scanning networks and systems, companies can organize patch rollouts more effectively and avoid leaving known holes unaddressed. Equally important is to keep an eye on credible threat intelligence sources to detect any new exploits or malicious campaigns targeting the software products your company relies upon. Frequent updates to security configurations and the timely application of patches can significantly reduce the exposure window.

Looking Ahead: Preparing for the Next Wave

Threats will continue to diversify and escalate in complexity, targeting not only data but also core operational technology, intellectual property, and the trust companies have built with their customers and stakeholders. With threat actors often launching coordinated, multi-stage attacks, layered defenses and robust response plans will remain indispensable. Regularly reviewing (and adapting) security policies, mapping your most critical assets, and allocating appropriate budgets toward long-term cyber resilience will help keep you on firm ground even as attacks increase in complexity.

Biggest Cyber Attacks in September Conclusion

The attacks in September 2025 reveal that no sector or region is beyond the reach of hackers. From large manufacturing firms and government offices to SaaS platforms and childcare providers, impacting entire communities, the scale of disruption is truly expansive. Yet, the lessons we extract also bring us one step closer to more fortified defenses and well-coordinated incident response. By investing in continuous training, rigorous patch management, and strengthened supply chain oversight, businesses can improve their ability to withstand the next wave of cyber attacks. Preparedness, above all, stands as the line between mere survival and lasting resilience in today’s digital world.